Imploder Plugin v1.04
by BoB
Created 24.12.2006


Description

Imploder is a plugin that allows you to add other files to a PE-file..

The files you add are compressed and added to a built-in archive, which is embedded within a loader that is appended in a new section to your target PE-file..

Each file can be decompressed to a seperate directory, and loaded from within your program.. Sub-directories can also be added, and are created if the sub-dir doesn't exist..
Some of the built-in extract directories include: My Documents, Program Files, Exe Path, Current Dir, Temp Dir, Windows Dir, System32 ..

So if you wanted to extract a font, select Extract dir of Windows and sub-dir of Fonts and the font will be extracted to C:\Windows\Fonts\ - or whatever the windows drive and dir is on the host computer.

You can now load DLLs virtually, which means that the DLL does not need to be extracted before use which is a lot more secure and also your program will definately find the DLLs it needs on any system..

The import table is also removed and filled by the loader, to allow you to include DLLs that may not be available on a host system.

It is upto you and your target program to delete files after use, should you want to..


You can choose (since v1.03) to add a file to the archive, but not extract it. There is now an API from the loader you can call from within the host program to extract a file..

Function ExtractFile(Name : PChar; Path : PChar) : DWord; StdCall;


To get the address of the API, use GetProcAddress as usual except put null as the LibBase..

EG: Extract := GetProcAddress(0, 'ExtractFile');

This might be used for a program that only occassionally needs to drop a file somewhere, or for an installer maybe.
The path passed to the function (and any sub-dirs) are created if they don't exist ..

Since v1.04, if you put a filename at the end of the path name, the file will be extracted to this name instead of as name in archive.
Also since v1.04 there are more apis:

OpenFile (NameInArchive) : DWord; StdCall; -- Unpacks and loads file into allocated mem, return address..
CloseFile (Handle : DWord); StdCall; -- Frees memory used by file, and handles ..
FileExists (NameInArchive) : DWord; StdCall; -- Returns 0 if not found, 1 if found .. (doesn't have to be open)
SizeFile (NameInArchive) : DWord; StdCall; -- Returns unpacked size of file (doesn't have to be open)

Example usage (Delphi - Actually from my plugins installer, which is built using Imploder) :

Var
  Addr : DWord;
  Size : DWord;
  ..
IF FileExists('MusicData') THEN Begin
   Addr := OpenFile('MusicData');
   Size := SizeFile('MusicData');
   BeRoXM.Module.Load(Addr, Size);
   CloseFile(Addr);
End;


Also, since v1.04, you can load a file from the archive using normal apis, just as if the file exists on disk.. If the file exists it is given preference to the archive version, if you don't want this - delete the file from disk..

Example:

Var
    hFile : DWord;
    Size, I : DWord;
    S : String

  hFile := CreateFile('MusicData', GENERIC_READ, FILE_SHARE_READ, nil, Open_Existing, FILE_ATTRIBUTE_NORMAL, 0);
  If hFile = INVALID_HANDLE_VALUE Then Exit;
  Try
    Size := GetFileSize(hFile, Nil);
    SetLength(S, Size);
    ReadFile(hFile, @S[1], Size, I, Nil);
  Finally
    CloseHandle(hFile);
  End;

..The only difference between this and 'normal' code is that createfile returns the address of the file in memory (it is unpacked into virtual memory) so you can use the return of createfile api just the same as using the internal api OpenFile() above ..


If you don't understand a word of this, you probably downloaded the wrong file.. !


Features

     o    Simple archive format to allow many files bundled with just one section added..
     o    Works with many file-types, even packed files! (Tested with UPX, PECompact2 and others)
     o    Overlay aware - any overlay is saved before processing and added to end of file after loader section added ..
     o    Imports are fully processed from within loader, so you can include DLLs that are imported by host file..
     o    Many standard system directories can be used as extract path, and subdirectories are created if not existing..
     o    Smallest possible Import Table.. (I think - tell me if I'm wrong :) No, you can't remove it entirely, Win 2000 crashes..
     o    Resulting bundled file can be compressed after other files added..
     o    Virtual DLL loading ..
     o    Use files within built-in archive virtually - without extracting to disk ..
     o    It's free !


Changes

V1.00 - 24/12/2006
     o    Add Compressed files to PE File + Unpack code + Loader..
     o    Packs orig Import table and fills before dropping files..
     o    Overlay is kept and replaced at end of file..
     o    Can extract to 8 different paths (and any sub-path) ..

V1.01 - 27/01/2007
     o    Added Virtual LoadLibrary function .. (Suggested by Jupiter)
     o    Patched imported LoadLibraryA/W to return virtually loaded DLL base address..
     o    Patched imported GetModuleHandleA/W to return base of virtually loaded DLL..
     o    Patched imported FreeLibrary to free memory used by virtual DLLs..
     o    Hooked GetProcAddress to work with virtual DLL ..
     o    Hooks GetProcAddress + LoadLibraryA/W in hooked GetProcAddress.. :)
     o    Updated aPLib to 0.43 ..
     o    Can now change order of files dropped.. (Right-click on list)
     o    Added Load / Save Project.. (Right-click on list)
     o    Added Load file-list from Project - To add list to different target.. (Right-click on list)
     o    Added Clear List option.. (Right-click on list)
     o    Encrypted Archive Data (so if data not packed then still not editable)..
     -    Fixed buggy FreeMem function ..

V1.02 - 18/02/2007
     o    Made better function for showing import errors ..
     o    Now DLLs can be used as host to bundled files .. !
     o    Updating a file in list now leaves file in same place ..
     o    Added horizontal scrolling to all Edit controls on main GUI..
     o    Improved GUI in various ways..
     o    Improved Encryption..
     -    Fixed reversed list of files in LoadProject / Load File-List..
     -    Removed IAT destroying code for compatabilty ..

V1.03 - 27/03/2007
     o   Uses hash instead of offset + name in virtual files .. (more secure & efficient)
     o   Ensures NtHeader ImageSize is correct for Virtual DLLs ..
     o   Hooks virtual DLLs apis too so they can use each other ..
     o   Added Anti-Dump code for virtual DLLs ..
     o   Improved Anti-Debug code ..
     o   Cleans stack before jump OEP ..
     o   Added "Don't Extract" to extract dirs - file will only be dropped if func called by user ..
     o   Can Extract files with func returned from GetProcAddress(Null, 'ExtractFile') ..
     o   ExtractFile function will create any path passed to it, and any sub-dirs ..
     o   Removes unused header stuff from virtual DLLs .. (More compression, harder to rebuild)
     o   Now always applies hooks .. Before, Loader only hooked APIs when virtual dlls were used ..
     o   Works with DelayImport-ed Virtual DLLs .. Thx Jupiter!
     o   Uses stack instead of local variables for hooked functions..
     o   Added High and Low fixes to relocs processing as BeRoExePacker DLLs use them ..
     o   Mutates Encrypt / Decrypt Routines ..
     o   Included small loader for plugin, to use plugin as exe .. Created by Jupiter (Thx!)
     o   Passing project to loader will load project, passing /RUN:<project> will auto build project..
     o   Added error handling around EP calls from LoadLibrary + FreeLibrary ..
     o   Hooked FreeLibrary clears used virtual DLL table memory when all freed ..
     o   Hooks ExitProcess to free used memory ..
     o   Now sets DLL re-entry in code ..
     o   Added some SEH stuff to catch errors in loader ..
     o   Added function to get true size of imports before packing and removing..
     o   Hooked DLL functions now remove any paths from filenames ..
     o   Added Load / Save Project buttons on Main GUI ..
     o   Added highlight to lines in Log that open websites when double-clicked ..
     o   Made file-list look nicer by ownerdrawing everything.. :)
     ~   Fixed bug in GetProcAddress hook where ordinal not checked before str compare .. Thx Jupiter!

V1.04 - 22/04/2007 - Name changed to Imploder ..
     o   Added Apis to find, open, get size and close files from Archive into memory:
     o     FileExists (NameInArchive) : DWord -- Returns 0 if not found, 1 if found .. (doesn't have to be open)
     o     OpenFile (NameInArchive) : DWord -- Unpacks and loads file into allocated mem, return address..
     o     SizeFile (NameInArchive) : DWord -- Returns unpacked size of file (doesn't have to be open)
     o     CloseFile (Handle : DWord) -- Frees memory used by file, and handles ..
     o   Changed ExtractFile API so if filename at end of path then save as that name, else use arc name ..
     o   Loader Apis that require filenames have the path removed before processing if present ..
     o   Added hooks for LoadLibraryExA/W API .. Can now use this with Virtual DLLs ..
     o   Added code to ExitProcess hook to delete files and file-handle list if still in mem ..
     o   Rewritten Install loop to make smaller and faster ..
     o   Added error message in case loader cannot install file ..
     o   Added option to pack with LZMA instead of aPLib ..
     o   Added some more anti-debug code ..
     o   Added commandline options -aPLib and -LZMA to choose which packer to use ..
     o   Added more error handling, especially to Loader APIs and hooks ..
     o   All Loader APIs that use name can be used with ordinals instead of NameInArchive ..
     o   Virtual File support! Now you can use Windows APIs to open virtual files in archive :
     o     CreateFileA/W -- Use as normal, file is loaded into memory and the address is returned..
     o     SetFilePointer -- Use as normal with ReadFile / Write File ..
     o     ReadFile -- Use as normal, just reads from memory instead of file..
     o     WriteFile -- Use as normal, but will only write to file in memory, not to the archive..
     o     GetFileSize -- Use as normal, returns unpacked size of file in archive ..
     o     CloseHandle -- Use as normal, if handle is a virtual file then will close it, else try API..
     o     GetFileAttributesA/W -- Use as normal, returns READONLY and ARCHIVE attributes for archive file ..
     o     SetFileAttributesA/W -- Use as normal, but doesn't really do anything except not return error..
     o   Host program will work as normal with these hooks, as if the files exist on disk instead of inside archive ..
     o   Added Options page:
     o     Added Option to associate EXE version with .PBP files ..
     o     Added option to choose compressor ..
     ~   Fixed bug where project file was saved as '.PBP' when save project canceled ..


Info

Greets to: snaker, Jibz & Qwerton, Jupiter, BuLLeT, Jeremy Collake, _pusher_, dila and all peeps on PEiD forum

Thanks to Jupiter and _pusher_ for beta testing..

This product uses the aPLib compression library,
Copyright (c) 1998-2006 by Joergen Ibsen, All Rights Reserved.
For more information, please visit: http://www.ibsensoftware.com/

Comments? Bugs?    You look like Jessica Alba? ;)    Email : BobSoft@GMail.com

For more plugins see my plugins site - Hosted by BuLLeT (Thanks!)

Thanks again to whoever invented coffee, without which I would never get anything done.. ;)

~ A program without bugs has either too few users, or too few uses ~